CVE-2026-45577
Authentication Bypass in Neotoma via Loopback Socket
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45577 is an authentication bypass vulnerability in Neotoma versions 0.6.0 to before 0.11.1. The issue arises when public requests that are reverse-proxied and received over a loopback socket without a Bearer token are mistakenly treated as local requests by the application.
This causes the REST authentication middleware to resolve these unauthenticated requests as if they came from the local development user, allowing unauthorized access to the Inspector and related API endpoints without credentials.
The vulnerability occurs in deployments behind a reverse proxy or same-host tunnel forwarding traffic to the Node process over loopback. It was fixed in version 0.11.1 by changing the authentication logic to fail closed in production unless loopback trust is explicitly enabled.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to access sensitive parts of the Neotoma application, such as the Inspector and API endpoints, without providing any authentication credentials.
As a result, production data could be exposed to the public or attackers, potentially leading to data leaks or unauthorized manipulation of the application.
The impact is especially significant in environments where Neotoma is deployed behind reverse proxies or tunnels that forward traffic over loopback sockets, as these setups are vulnerable to this authentication bypass.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when public reverse-proxied requests are treated as local loopback connections without a Bearer token, allowing unauthenticated access to the Inspector and API endpoints.
To detect this on your system, you should monitor incoming requests forwarded over loopback sockets and check if any requests lack Bearer tokens but are still treated as local.
You can use network monitoring tools or commands to inspect traffic on loopback interfaces (e.g., lo) and analyze HTTP headers for missing Authorization Bearer tokens.
- Use tcpdump or tshark to capture traffic on the loopback interface: tcpdump -i lo -A 'tcp port 80 or tcp port 443'
- Filter captured HTTP requests to identify those without an Authorization header or Bearer token.
- Check your Neotoma logs for any unauthenticated requests being resolved as the local development user.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Neotoma to version 0.11.1 or later, where the vulnerability is fixed.
If upgrading immediately is not possible, ensure that the environment variable NEOTOMA_TRUST_PROD_LOOPBACK is not set to 1 in production, as this disables the safe default behavior.
Review your reverse proxy and loopback socket configurations to avoid forwarding public requests as local loopback traffic.
Verify that authentication middleware properly rejects unauthenticated requests and does not treat them as local development users.